analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

7dce53d23c72460c9b2059f549378e3d5e62f558091db806395c39ab9877ce36.zip

Full analysis: https://app.any.run/tasks/e018afa3-9786-48ed-a2fc-d1d75b4b8c49
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: September 29, 2020, 23:11:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
emotet
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

A251EFDB48C64507120B393C02B3BA24

SHA1:

F948D1EAFAAC5F8CD58AF5ACF5DEC7D75391D4C3

SHA256:

D14AA0DD82EF2C51D0B9B3BD06618E67343A1F18FDE19588AEC1F61779099595

SSDEEP:

3072:5z0H4qoNhCafwBiH1wqwY4BqRZQ7ZmOC3eCwOV4vpzgr2R/TCemmaLvRe3i3Nq:YDoNr4kHkDZgR87puL5eoq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • aeinv.exe (PID: 2096)
      • 7dce53d23c72460c9b2059f549378e3d5e62f558091db806395c39ab9877ce36.exe (PID: 1336)

    • Changes the autorun value in the registry

      • aeinv.exe (PID: 2096)

    • Connects to CnC server

      • aeinv.exe (PID: 2096)

    • EMOTET was detected

      • aeinv.exe (PID: 2096)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1876)
      • 7dce53d23c72460c9b2059f549378e3d5e62f558091db806395c39ab9877ce36.exe (PID: 1336)

    • Starts itself from another location

      • 7dce53d23c72460c9b2059f549378e3d5e62f558091db806395c39ab9877ce36.exe (PID: 1336)

    • Reads Internet Cache Settings

      • aeinv.exe (PID: 2096)

  • INFO

    • Manual execution by user

      • 7dce53d23c72460c9b2059f549378e3d5e62f558091db806395c39ab9877ce36.exe (PID: 1336)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0003
ZipCompression: Unknown (99)
ZipModifyDate: 2020:09:29 23:11:15
ZipCRC: 0xfeb3fc8a
ZipCompressedSize: 150614
ZipUncompressedSize: 409600
ZipFileName: 7dce53d23c72460c9b2059f549378e3d5e62f558091db806395c39ab9877ce36.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe 7dce53d23c72460c9b2059f549378e3d5e62f558091db806395c39ab9877ce36.exe #EMOTET aeinv.exe

Process information

PID
CMD
Path
Indicators
Parent process
1876"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\7dce53d23c72460c9b2059f549378e3d5e62f558091db806395c39ab9877ce36.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1336"C:\Users\admin\Desktop\7dce53d23c72460c9b2059f549378e3d5e62f558091db806395c39ab9877ce36.exe" C:\Users\admin\Desktop\7dce53d23c72460c9b2059f549378e3d5e62f558091db806395c39ab9877ce36.exe
explorer.exe
User:
admin
Company:
Flex Inc.
Integrity Level:
MEDIUM
Description:
Replacement for the Masked Edit Control v 2.0.
Exit code:
0
Version:
2.8.0.3
2096"C:\Users\admin\AppData\Local\KBDINBE1\aeinv.exe"C:\Users\admin\AppData\Local\KBDINBE1\aeinv.exe
7dce53d23c72460c9b2059f549378e3d5e62f558091db806395c39ab9877ce36.exe
User:
admin
Company:
Flex Inc.
Integrity Level:
MEDIUM
Description:
Replacement for the Masked Edit Control v 2.0.
Version:
2.8.0.3
Total events
513
Read events
485
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
13367dce53d23c72460c9b2059f549378e3d5e62f558091db806395c39ab9877ce36.exeC:\Users\admin\AppData\Local\Temp\~DF9B3FCB0DB7573AAE.TMP
MD5:
SHA256:
1876WinRAR.exeC:\Users\admin\Desktop\7dce53d23c72460c9b2059f549378e3d5e62f558091db806395c39ab9877ce36.exeexecutable
MD5:DE3999241E1012E15523EEB9A9D25F80
SHA256:7DCE53D23C72460C9B2059F549378E3D5E62F558091DB806395C39AB9877CE36
13367dce53d23c72460c9b2059f549378e3d5e62f558091db806395c39ab9877ce36.exeC:\Users\admin\AppData\Local\KBDINBE1\aeinv.exeexecutable
MD5:DE3999241E1012E15523EEB9A9D25F80
SHA256:7DCE53D23C72460C9B2059F549378E3D5E62F558091DB806395C39AB9877CE36
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2096
aeinv.exe
POST
200
116.91.240.96:80
http://116.91.240.96/rxNrTW/
JP
binary
132 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2096
aeinv.exe
116.91.240.96:80
ARTERIA Networks Corporation
JP
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
2096
aeinv.exe
A Network Trojan was detected
ET TROJAN Win32/Emotet CnC Activity (POST) M10
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
7dce53d23c72460c9b2059f549378e3d5e62f558091db806395c39ab9877ce36.zip